2025/11/21 - Security Incident Response - 2 new 2 updated api methods
Changes Add ListInvestigations and SendFeedback APIs to support SecurityIR AI agents
Investigation performed by an agent for a security incident...
See also: AWS API Documentation
Request Syntax
client.list_investigations(
nextToken='string',
maxResults=123,
caseId='string'
)
string
Investigation performed by an agent for a security incident request
integer
Investigation performed by an agent for a security incident request, returning max results
string
[REQUIRED]
Investigation performed by an agent for a security incident per caseID
dict
Response Syntax
{
'nextToken': 'string',
'investigationActions': [
{
'investigationId': 'string',
'actionType': 'Evidence'|'Investigation'|'Summarization',
'title': 'string',
'content': 'string',
'status': 'Pending'|'InProgress'|'Waiting'|'Completed'|'Failed'|'Cancelled',
'lastUpdated': datetime(2015, 1, 1),
'feedback': {
'usefulness': 'USEFUL'|'NOT_USEFUL',
'comment': 'string',
'submittedAt': datetime(2015, 1, 1)
}
},
]
}
Response Structure
(dict) --
nextToken (string) --
Investigation performed by an agent for a security incident for next Token
investigationActions (list) --
Investigation performed by an agent for a security incid…Unique identifier for the specific investigation>
(dict) --
Represents an investigation action performed within a case. This structure captures the details of an automated or manual investigation, including its status, results, and user feedback.
investigationId (string) --
The unique identifier for this investigation action. This ID is used to track and reference the specific investigation throughout its lifecycle.
actionType (string) --
The type of investigation action being performed. This categorizes the investigation method or approach used in the case.
title (string) --
Human-readable summary of the investigation focus. This provides a brief description of what the investigation is examining or analyzing.
content (string) --
Detailed investigation results in rich markdown format. This field contains the comprehensive findings, analysis, and conclusions from the investigation.
status (string) --
The current execution status of the investigation. This indicates whether the investigation is pending, in progress, completed, or failed.
lastUpdated (datetime) --
ISO 8601 timestamp of the most recent status update. This indicates when the investigation was last modified or when its status last changed.
feedback (dict) --
User feedback for this investigation result. This contains the user's assessment and comments about the quality and usefulness of the investigation findings.
usefulness (string) --
User assessment of the investigation result's quality and helpfulness. This rating indicates how valuable the investigation findings were in addressing the case.
comment (string) --
Optional user comments providing additional context about the investigation feedback. This allows users to explain their rating or provide suggestions for improvement.
submittedAt (datetime) --
ISO 8601 timestamp when the feedback was submitted. This records when the user provided their assessment of the investigation results.
Send feedback based on response investigation action
See also: AWS API Documentation
Request Syntax
client.send_feedback(
caseId='string',
resultId='string',
usefulness='USEFUL'|'NOT_USEFUL',
comment='string'
)
string
[REQUIRED]
Send feedback based on request caseID
string
[REQUIRED]
Send feedback based on request result ID
string
[REQUIRED]
Required enum value indicating user assessment of result q.....
string
Send feedback based on request comments
dict
Response Syntax
{}
Response Structure
(dict) --
{'caseMetadata': [{'key': 'string', 'value': 'string'}]}
Returns the attributes of a case.
See also: AWS API Documentation
Request Syntax
client.get_case(
caseId='string'
)
string
[REQUIRED]
Required element for GetCase to identify the requested case ID.
dict
Response Syntax
{
'title': 'string',
'caseArn': 'string',
'description': 'string',
'caseStatus': 'Submitted'|'Acknowledged'|'Detection and Analysis'|'Containment, Eradication and Recovery'|'Post-incident Activities'|'Ready to Close'|'Closed',
'engagementType': 'Security Incident'|'Investigation',
'reportedIncidentStartDate': datetime(2015, 1, 1),
'actualIncidentStartDate': datetime(2015, 1, 1),
'impactedAwsRegions': [
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-6'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
'threatActorIpAddresses': [
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
'pendingAction': 'Customer'|'None',
'impactedAccounts': [
'string',
],
'watchers': [
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
'createdDate': datetime(2015, 1, 1),
'lastUpdatedDate': datetime(2015, 1, 1),
'closureCode': 'Investigation Completed'|'Not Resolved'|'False Positive'|'Duplicate',
'resolverType': 'AWS'|'Self',
'impactedServices': [
'string',
],
'caseAttachments': [
{
'attachmentId': 'string',
'fileName': 'string',
'attachmentStatus': 'Verified'|'Failed'|'Pending',
'creator': 'string',
'createdDate': datetime(2015, 1, 1)
},
],
'closedDate': datetime(2015, 1, 1),
'caseMetadata': [
{
'key': 'string',
'value': 'string'
},
]
}
Response Structure
(dict) --
title (string) --
Response element for GetCase that provides the case title.
caseArn (string) --
Response element for GetCase that provides the case ARN
description (string) --
Response element for GetCase that provides contents of the case description.
caseStatus (string) --
Response element for GetCase that provides the case status. Options for statuses include Submitted | Detection and Analysis | Eradication, Containment and Recovery | Post-Incident Activities | Closed
engagementType (string) --
Response element for GetCase that provides the engagement type. Options for engagement type include Active Security Event | Investigations
reportedIncidentStartDate (datetime) --
Response element for GetCase that provides the customer provided incident start date.
actualIncidentStartDate (datetime) --
Response element for GetCase that provides the actual incident start date as identified by data analysis during the investigation.
impactedAwsRegions (list) --
Response element for GetCase that provides the impacted regions.
(dict) --
region (string) --
threatActorIpAddresses (list) --
Response element for GetCase that provides a list of suspicious IP addresses associated with unauthorized activity.
(dict) --
ipAddress (string) --
userAgent (string) --
pendingAction (string) --
Response element for GetCase that identifies the case is waiting on customer input.
impactedAccounts (list) --
Response element for GetCase that provides a list of impacted accounts.
(string) --
watchers (list) --
Response element for GetCase that provides a list of Watchers added to the case.
(dict) --
email (string) --
name (string) --
jobTitle (string) --
createdDate (datetime) --
Response element for GetCase that provides the date the case was created.
lastUpdatedDate (datetime) --
Response element for GetCase that provides the date a case was last modified.
closureCode (string) --
Response element for GetCase that provides the summary code for why a case was closed.
resolverType (string) --
Response element for GetCase that provides the current resolver types.
impactedServices (list) --
Response element for GetCase that provides a list of impacted services.
(string) --
caseAttachments (list) --
Response element for GetCase that provides a list of current case attachments.
(dict) --
attachmentId (string) --
fileName (string) --
attachmentStatus (string) --
creator (string) --
createdDate (datetime) --
closedDate (datetime) --
Response element for GetCase that provides the date a specified case was closed.
caseMetadata (list) --
Case response metadata
(dict) --
Represents a single metadata entry associated with a case. Each entry consists of a key-value pair that provides additional contextual information about the case, such as classification tags, custom attributes, or system-generated properties.
key (string) --
The identifier for the metadata field. This key uniquely identifies the type of metadata being stored, such as "severity", "category", or "assignee".
value (string) --
The value associated with the metadata key. This contains the actual data for the metadata field identified by the key.
{'caseMetadata': [{'key': 'string', 'value': 'string'}]}
Updates an existing case.
See also: AWS API Documentation
Request Syntax
client.update_case(
caseId='string',
title='string',
description='string',
reportedIncidentStartDate=datetime(2015, 1, 1),
actualIncidentStartDate=datetime(2015, 1, 1),
engagementType='Security Incident'|'Investigation',
watchersToAdd=[
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
watchersToDelete=[
{
'email': 'string',
'name': 'string',
'jobTitle': 'string'
},
],
threatActorIpAddressesToAdd=[
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
threatActorIpAddressesToDelete=[
{
'ipAddress': 'string',
'userAgent': 'string'
},
],
impactedServicesToAdd=[
'string',
],
impactedServicesToDelete=[
'string',
],
impactedAwsRegionsToAdd=[
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-6'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
impactedAwsRegionsToDelete=[
{
'region': 'af-south-1'|'ap-east-1'|'ap-east-2'|'ap-northeast-1'|'ap-northeast-2'|'ap-northeast-3'|'ap-south-1'|'ap-south-2'|'ap-southeast-1'|'ap-southeast-2'|'ap-southeast-3'|'ap-southeast-4'|'ap-southeast-5'|'ap-southeast-6'|'ap-southeast-7'|'ca-central-1'|'ca-west-1'|'cn-north-1'|'cn-northwest-1'|'eu-central-1'|'eu-central-2'|'eu-north-1'|'eu-south-1'|'eu-south-2'|'eu-west-1'|'eu-west-2'|'eu-west-3'|'il-central-1'|'me-central-1'|'me-south-1'|'mx-central-1'|'sa-east-1'|'us-east-1'|'us-east-2'|'us-west-1'|'us-west-2'
},
],
impactedAccountsToAdd=[
'string',
],
impactedAccountsToDelete=[
'string',
],
caseMetadata=[
{
'key': 'string',
'value': 'string'
},
]
)
string
[REQUIRED]
Required element for UpdateCase to identify the case ID for updates.
string
Optional element for UpdateCase to provide content for the title field.
string
Optional element for UpdateCase to provide content for the description field.
datetime
Optional element for UpdateCase to provide content for the customer reported incident start date field.
datetime
Optional element for UpdateCase to provide content for the incident start date field.
string
Optional element for UpdateCase to provide content for the engagement type field. Available engagement types include Security Incident | Investigation.
list
Optional element for UpdateCase to provide content to add additional watchers to a case.
(dict) --
email (string) -- [REQUIRED]
name (string) --
jobTitle (string) --
list
Optional element for UpdateCase to provide content to remove existing watchers from a case.
(dict) --
email (string) -- [REQUIRED]
name (string) --
jobTitle (string) --
list
Optional element for UpdateCase to provide content to add additional suspicious IP addresses related to a case.
(dict) --
ipAddress (string) -- [REQUIRED]
userAgent (string) --
list
Optional element for UpdateCase to provide content to remove suspicious IP addresses from a case.
(dict) --
ipAddress (string) -- [REQUIRED]
userAgent (string) --
list
Optional element for UpdateCase to provide content to add services impacted.
(string) --
list
Optional element for UpdateCase to provide content to remove services impacted.
(string) --
list
Optional element for UpdateCase to provide content to add regions impacted.
(dict) --
region (string) -- [REQUIRED]
list
Optional element for UpdateCase to provide content to remove regions impacted.
(dict) --
region (string) -- [REQUIRED]
list
Optional element for UpdateCase to provide content to add accounts impacted.
(string) --
list
Optional element for UpdateCase to provide content to add accounts impacted.
(string) --
list
Update the case request with case metadata
(dict) --
Represents a single metadata entry associated with a case. Each entry consists of a key-value pair that provides additional contextual information about the case, such as classification tags, custom attributes, or system-generated properties.
key (string) -- [REQUIRED]
The identifier for the metadata field. This key uniquely identifies the type of metadata being stored, such as "severity", "category", or "assignee".
value (string) -- [REQUIRED]
The value associated with the metadata key. This contains the actual data for the metadata field identified by the key.
dict
Response Syntax
{}
Response Structure
(dict) --